Configuring a CMK for data encryption in Azure Database for PostgreSQL Flexible Server
You can optionally use a customer managed key (CMK) for encrypting data in the Azure Flexible Server database instance used by Cloudera.
As described in Adding a customer managed encryption key to a CDP environment running on Azure, by default Cloudera clusters are encrypted with server-side encryption (SSE) using Platform Managed Keys (PMK) and Cloudera allows you to provide an existing CMK for encrypting Cloudera clusters.
When using the CMK for encrypting Cloudera clusters, you can also use that same CMK for encrypting the Azure Flexible Server database instance used by Cloudera. If you would like to do this, in addition to the typical CMK prerequisites, you should create a managed identity with specific permissions and then after providing the other CMK-related parameters (CMK resource group and URL) during Cloudera environment registration on Azure provide that managed identity during Azure environment registration in Cloudera.
Azure prerequisites
You should first meet the CMK-related prerequisites described in Azure Requirements: Customer managed encryption keys (add additional credential permissions and create a key vault and vault key).
In addition to that, you should create a managed identity as described in Managed identity for encrypting Azure Database for PostgreSQL Flexible Server.
Create an environment with a CMEK for encrypting Flexible Server
Steps
Follow the usual steps for creating a CDP environment on Azure and make sure to do the following:
- In the Register Environment wizard, on the Region, Networking and Security page find the Customer-Managed Keys section.
- Click Enable Customer-Managed Keys.
- In the same section, under Select Resource group select the resource group where your CMK is located.
- Provide the URL of the key value where the CMK resides. This is the same as the key identifier that you can copy directly from Azure Portal.
- Under Managed identity for encryption, select the managed identity created as a prerequisite.
cdp environments
create-azure-environment
command: --encryption-key-resource-group-name <CMK_RESOUCE_GROUP_NAME>
--encryption-key-url <KEY_RESOUCE_ID>
--user-managed-identity <EXISTING_MANAGED_IDENTITY>
The --encryption-key-resource-group-name
is not needed in some
cases, as described in CDP CLI steps listed in Adding a customer managed encryption key to a CDP environment
running on Azure.
While the first two parameters are required for using CMK for Cloudera in general the third parameter must be added in addition for encrypting a Flexible Server. It should be specified as in the following example:
--user-managed-identity /subscriptions/3ddda1c7-d1f5-4e4b-ac81-0523f483b3b1/resourcegroups/test-daily-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/test-adminIdentity
Update an existing environment to add the managed identity
Steps
The steps for adding the managed identity are similar as those described in Set a CMK for an existing Azure environment, just in the Managed identity for encryption field, a managed identity should be provided in addition to the Encryption Key Resource Group and the Encryption Key URL.
The steps for adding the managed identity are similar as those described in Set a CMK for an existing Azure environment, just the --user-managed-identity should be specified in addition.
cdp environments update-azure-encryption-resources \
--environment <ENVIRONMENT_NAME> \
--encryption-key-url <VAUL_KEY_URL> \
--encryption-key-resource-group-name <RG_NAME> \
--user-managed-identity <EXISTING_MANAGED_IDENTITY>